Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

VPN

23K

Solutions

22K

Contributors

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

Share tech news, updates, or what's on your mind.

Sign up to Post

I've got a new Windows 2016 server running RRAS and Network Policy Server.  This replacing a Windows 2008 r2 box, with the same setup.  And that old box needs to be decommissioned ASAP.

When I try to connect via any of our Win 10 machines (I haven't tested on other client os), I get the error:
The specified protocol identifier is not known to the router.

An error 902 appears in the log, which is that same error message: https://support.microsoft.com/en-us/help/824864/list-of-error-codes-for-dial-up-connections-or-vpn-connections

The plan is to use SSTP with a valid certificate, but that gives the error.  

To eliminate anything with the router or the certificate, I temporarily changed the NPS rules to only us MS-CHAP v2 and tried connecting using PPTP (I know dangerous, but this is testing) using the machine's local IP address.  That test completely eliminates anything going through the site's router.  I also completely disabled the server's firewall.  There's no antivirus on the machine yet.  I get an identical error.

I've checked the polices over and over, they're identical to what works on the existing w2k8 box.  If I switch the local IP to the w2k8's on the client, the VPN works fine.  If I use SSTP through the w2k8 box, it's fine.  The same setup on the 16 box, fails.  I've got to be missing something obvious.

I've used the same setup elsewhere without issue.

Any idea what this 902 "The specified protocol
0
Portable, direct connect server access
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

We have defined a VPN boundary group for our remote employees in single site, single server SCCM current branch (1706) setup. Our company's setup is very simple - one server is the site server, DP, and MP. We're all in one building. However we need to define the "VPN" boundary group to be a "slow" link for those that connect remotely.

I cannot find a way to do this in SCCM 1706. Does anyone know how to do this?

KH
0
All of a sudden my cisco anyconnect will not work.  It connects but I cannot connect to any shared drives or ping anything on the host computer.  Any ideas?
0
There is a way to configure vpn anyconnect logging to track one particular username. Once the user logs in to VPN, the ASA will email the log to email address. I used to knew the website that assisted with this config and I can no longer find it. Does anyone know the syntax for this?
0
VPN slows the internet , is there a way to have apply only on specific tab . or browser .

for example if I use Chrome the VPN will apply if I use safari it won't.

For Mac.
0
Setting up a site to site vpn with a partner.  We have overlapping networks so we need to setup NAT.  The partner does not want to pass private IP's over the VPN stating that it is best practice to not use private IP's.  Is this best practice?  We have created several vpn's and all have passed private IP's.  The problem we have is our end is on the AWS network and they do not allow NATing in their VPN connections.  Is passing private IP's really a bad thing?  We are limited on our end by AWS but if the partner wants to connect and pass public IP address what are our options?  Traffic will only be initiated one way....from partner to AWS network.  The partner needs to connect to a load balancing device at 192.168.5.100 using port 6500.  If I can't NAT my IP subnet and the partner needs to NAT to a private IP, what are the options?
0
Dear Experts

I have my servers running in housing center, all of them are virtual, protected by pfsense firewall. Directly on this firewall I created OpenVPN, created certificates, created users and ditsributed client software.

Now I am sitting in my home office with my wife, we have exactly same configuration of workstation computers but while when I connect to OpenVPN, I can see no restarts from 8 a.m. in the morning, her VPN client is full of restarts, maybe every 5-10 minutes,

Do you have any idea why? And how to troubleshoot problem?

Many thanks

Vladimir
0
So, here is my scenario

Currently with 192.168.60.0/24 network set as VLAN200 on a switch, my router is 192.168.60.2.

Got a cisco 2960 switch as 192.168.60.1, and set with default GW 192.168.60.2

However, I need to set a new vlan for a vpn (mikrotik)

Mikrotik ip is 8.20.15.251/24

Ive created a VLAN400, as 8.20.15.0/24 and indicated the ip helper as the mikrotik. After assigning ports to that VLAN, it doesnt acquire IP, neither reach the GW (if I assign static IP to the computer). From the switch, if I try to ping the mikrotik ip, it does not respond (if I connect a computer directly on the mikrotik, I do get an IP, I can access it and even access the VPN services without problems)

Am I missing something?

thank you
0
Hi
Got a question.  We have several sites connected via site to site VPNs to our headquarters in a hub and spoke topology.

What we're tryin to do is find a way DNS will resolve to a particular hostname when the VPN tunnel is connected, but when the tunnel is not connected, it will resolve to the public A record.
All remote sites have an on-premise domain controller that handles DNS.

Example:
mail.company.com resolves (internally) to the internal mail server:  192.168.1.50 (for example).
This is good, but when the VPN tunnel at a remote office is down, the clients are still resolving mail.company.com to the internal IP, which will obviously fail since there's no route.  What we want is for them to resolve the external DNS, which in this case might be 52.18.29.158 or whatever.

I would have no problem having the users at remote sites permanently access certain A records via the public DNS lookup, but is that possible?  Can i have an A record in my internal DNS servers that resolves to a different IP?

Example, at the headquarters location, mail.company.com resolves to the internal IP, but at all other remote locations, mail.company.com resolves to the external IP
0
Hi,

I'm aware others have had similar issues to mine but none of those fixes resolved my issue.  We have 10 sites, each with a SonicWall (various models).  At site A, we recently switched our primary ISP and now our other sites aren't able to ping the LAN IP address of site A even though the VPN is up and running from site A to the other sites.  The other sites can successfully ping other devices at Site A (such as computers) but not the SonicWall LAN IP.  Site A can ping out normally to any other site.  This issue occurred when we switched ISP.  The settings seem to be correct but something is causing the ping not to go through.  It seems "Ping" is enabled in Site A SW where applicable.  I will appreciate any suggestions.
0
Enroll in September's Course of the Month
LVL 10
Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Hello,

I am trying to fix the issue with ASA firewalls. I have L2L VPN between two ASAs with IP Sec tunnel with IKEv2. The tunnel is working fine for one pair of source IP and dest.IP address.

However, I have another pair of IPs (two servers between the remote LANs) which are included and permitted in the same access-list and crypto map as the working pair of IPs. But they are not able to communicate.

They are also permitted on the access-list which is applied on the inside interface from the LAN.

I can see the Built TCP connection in the ASA real-time log for the working pair of servers, but absolutely no information in the log for the another pair.

In the LAN we have another ASA directly connected which is showing "SYN timeout" after 30 seconds.

It is very strange, because the access-lists for the mentioned pairs of source and destination IPs have the same configuration and are applied the same way, but security association is bulit only for the first one.

I even see hit counts in the access-list permit statements for both communications.

Is it possible, that the issue can be on the remote end of the tunnel (the 3rd ASA on the way for the packet towards the remote LAN)? I don't have the access to the 3rd ASA.

Please help,
0
I am unable to to install Cisco Anyconnect, getting a error: there is a problem with the windows installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.
0
I have an environment that resulted in using an AMI VPN Application since their firewall wasn't compatible with the native Amazon VPN Services..  I want to move away from the AMI VPN Appliance and use the native Amazon VPN Services for it's free..  With that said..  Is the Amazon VPN Serivces an AMI or simply a native feature in EC2?  I need to setup a lab.  When I refer to the Amazon VPN service I guess this is the 'virtual private gateway to the VPC' ?
0
I created an incoming connection on a Windows Server 2008. I can connect to the network just fine, but I can't access network resources because the network that I am on has the same ip scheme. I changed it to test my theory. If im on the road there are likely wifi networks that will have to same problem. Are there any other options other than changing the ip scheme of the target network?
0
I am trying to work my way through the tricky world of Azure and AD connect. In short I have a central sites with a domain, I have multiple smaller sites with just a few machines. I want to join those machines also to the domain. I was thinking rather than trying to join the machines over a VPN to the domain could I simply create a member server in azure which would allow for the smaller sites to connect directly? Is this even possible
0
Dear Experts

would you advice how to proceed on? I have my server in housing facility and my client computers are connected via OPENVPN, i.e. it is not connection directly to server, but to firewall before server.

How I can joing remote computer to domain?

Many thanks

Vladimir
0
Hi,

I struggling with this issue. I wanted to use the connector provided by Windows which can be download via http://servername/connect
However, it is not compatible with this new version of MacOSX.

Does anyone have experience with setting up vpn connection on a new OSX Mac with Server 2012 Essentials?

Regards,
0
Hi
Weird issue here.  Saving changes to a pptx file over a VPN are not working.  
The file is showing as being saved on screen, thereafter it creates a tmp file and then shows the original pptx file prior to saving the changes.
It seems to work fine locally on same LAN.
Ideas?
0
Hi Team,

My understanding:
When we create a site to site VPN, a route gets created for the destination network pointing to the outside interface based on which the ASA understands that when traffic for this IP arrives, I need to put in across the tunnel.

Query:
Kindly explain the mechanism by which ASA creates this route and also share any documentation if available.
0
[Webinar] Lessons on Recovering from Petya
LVL 10
[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Hi,

I am travelling in main land china and naturally sites like google and YouTube etc are blocked.

I am thinking about getting one of the iOS vpn apps.

My concern is it monitoring my internet data in regards to passwords I type the mail app etc.

What I am thinking is if those programs do the encryption themselves I will be safe and this can't be attacked. SSL sites will be safe.

Are my assumptions correct? Are there any risks at all?

Thanks

Ward
0
I have setup RRAS on Server 2012 R2 specifically using L2TP as the primary connection in for remote access.
I also enabled port forwarding on the router to be directed to the server hosting RRAS.

RRAS Setup:
Enabled for IPv4 and using DHCP rather than static address pool
Authentication provider is windows authentication
Accounting provider is windows accounting
Preshared key has been setup

The ports I forwarded are:
L2TP port 1701 UDP
Port 500 UDP
Port 4500 UDP

I also tried TCP/UDP on these ports and still unable to connect.

VPN End User setup:
Setup for L2TP
Requires encryption
Setup to use CHAP and MS-CHAP v2
Also tried using EAP-MSCHAP but no change
Ensured I entered the correct Preshared key for L2TP

Confirmed RRAS is OK as I have been able to get PPTP working without issue.

What am I missing?

Thanks!
0
I've got a 5545x that I'm configuring for remote access VPN.  I've done a few 5506's but this is my first 5545.

I initially started with AnyConnect. I could get the client connected, but I couldn't get a ping response.  The client statistics showed control data was being exchanged.  Client data was being sent, but not received.

I wiped and reconfigured and got the exact same results.   Then I tried configuring IPSec for the legacy VPN Client because I can always get that to work. :-)

Exact same results.  Client connects fine but no data.  "show cry ipsec sa" shows pkts decap are increasing but pkts encaps are not.  

I figure that I'm just missing something and I've been looking at it for so long that I'm just not seeing it. Hoping someone can look at this and see a typo or a missing statement that I'm missing.

I've stripped out all the non-essentials and sanitized the output.  If I got overzealous with the stripping and cleaning, let me know and I'll repost.

Thanks.

Don

P.S.  I've added a bunch of... junk that I don't usually have while throwing things at this to see if something sticks.


ip local pool RA_VPN_POOL 192.168.255.1-192.168.255.62 mask 255.255.255.192
ip local pool AnyConnect_VPN_Pool 192.168.255.129-192.168.255.254 mask 255.255.255.192
!
object network VPN-Nets
 subnet 192.168.255.0 255.255.255.0
!
object-group network Inside-Networks
  network-object 10.10.0.0 255.255.0.0
 network-object 192.168.0.0 255.255.0.0
!

Open in new window

0
All experts, I have remote site with multiple vlans connected by site to site VPN.  there ip address range start 10.0.8.0 / 255.255.252.0 and some of department has 10.0.28.0, 10.0.29.0, 10.0.30.0 / 255.255.255.0.   How do i combine these networks and route them by simple route statement use on vpn?  I currently set to all vlan networks mapped and working but I would like to have simple statement such as following

10.0.0.0 255.255.0.0 to  10.0.28.0, 10.0.29.0, 10.0.30.0 / 255.255.255.0 and 10.0.8.0 / 255.255.252.0

I hope it makes sense. I believe supernet was how it configured it. I open to your advise Thank you!
0
Devices:
Google Home,
Aruba IAP-305 (RW)
NordVPN


I am trying to set up a VPN for my Google Home so it will register as being in the US. I am currently in Ireland and have purchased a subscription to NordVPN.  From what I understand, a VPN cannot be put on the actual Google Home device.

I currently make a lot of calls to the US. Google Home offers free calls in the US but is not available here in Ireland. This is one of the main things I want to get from my Google Home.

If the net result of the VPN makes Google Home look like its in the US, I do not want the rest of my tech devices to think they are in that location, i.e all of my other tech devices have locations in Ireland.

Regards,
Robbie
0
I never really addressed this, but my Windows 7 Enterprise machines do not have the option to connect to cisco VPN client 5.0 prior to logging on.

I have searched the internet and supposedly there should be a Network icon next to the power button.

Can anyone assist?
0

VPN

23K

Solutions

22K

Contributors

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.